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[2345/206] 

ENCRYPTION METHOD BASED ON FACTORIZATION 

The present invention relates to an asymmetrical and public 
encryption method. In particular, the invention relates to a 
method for encrypting data on the basis of the factorization 
problem. In this context, the decryption of encrypted data is 
5 as complex as the problem of finding large prime divisors of 
large numbers. In detail, in the present invention, quadratic 
equations are to be solved for the decryption. 

Encryption methods are used to protect data from unauthorized 
access when stored or during transmission over insecure 

10 communication channels. In so doing, the data are changed in 

such a way that this change cannot be undone without knowledge 
of a specific key. Encryption methods may be subdivided into 
the categories of asymmetrical and symmetrical . In symmetrical 
methods, the same key is used both for encryption and for 

15 decryption. Asymmetrical methods have two different keys, of 

which one is used for encryption and the other for decryption. 
In this context, all users can know the encryption key, 
whereas the decryption key must be kept secret. Therefore, the 
encryption key is also known as the public key, and the 

2 0 decryption key as the private key. Book [1] according to the 
literature list, for example, offers an overview of modern 
encryption methods. 

The methods of Rabin ([3]) and Williams ([6]), which likewise 
utilize quadratic equations, are known. However, in these 
25 methods, only half the data bits is sent per transmission. 
Corresponding complexity restrictions thereby arise, and a 
greater demand for computing power during the encryption and 
the decryption. 
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Using polynomials of the second degree, the method of Schwenk • 
and Eisfeld ( [5] ) offers little security against attacks which 
take advantage of the dependencies of message parts irii and m2 
on one another. 

5 The objective is achieved by an invention having the features 
delineated in the independent claims. An asymmetrical 
encryption method is thereby described based on the 
factorization problem. It has less complexity than the RSA 
method in the encryption, and is able to transmit more data 
10 bits per encryption than the Rabin method or Williams method. 

As already described above, the present invention concerns an 
asymmetrical encryption method. The public key is made up of a 
large composite number n; the private key is made up of the 
factors of the composite number. The encryption is made up of 

15 a number of iterations of individual encryption steps that are 
successively reversed during the decryption. The reversal of 
an individual encryption step requires the solving of a 
quadratic equation modulo n (see below) . Such a quadratic 
equation can only be easily solved if the factors of n are 

2 0 known . 

The private key is preferably made up of the large prime 
numbers p and q. The public key is the product n of these two 
prime numbers, as well as a comparatively small integer L 
which is greater than one. Message m is made up of two 
25 integral values mi and m2, so that 

m = (nil, ^2) I 

both values lying in the set Zn= {0,1,2, ... ,n-l}. 
The encryption is accomplished via the equation 

c-f^ (m) . 
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In the present case, encrypted value c is likewise made up of 
a double tuple of integers from Zm that is, c = (cx, C2) • 

Function (m) is recursively defined by 

fj^^ (m) = f (f^ (m) ) . 

For j ^ 1, f^(ni) = f(m) = (fi(m), f2(m)) applies, where 

fi (m) = mi-\-m2 mod n 

f2(m) = ini-in2 mod n. 

The encrypted text is therefore obtained by the recursions 

ai+i = ai+Jbi mod n (i) 

bi+i = a±'b± mod n. (2) 

with the starting values ao = mi, bo = m2 and the final values 
ci = aL, C2 = bi- 

For the decryption, one must be able to reverse the recursion. 
This is accomplished by solving the above equations for ai and 
Jbi. One immediately obtains the quadratic equation 

- ai+i • z + Jbi+i = 0 mod n, (3) 

which has ai and Jbi as solutions. The problem of the further 
solutions of equation (3) will be discussed later. If n is the 
product of very large prime numbers, then the solution of 
quadratic equations without knowledge of the prime factors is 
presumably a very difficult problem. With knowledge of the 
prime factors, however, this is possible without difficulty. 
The current methods for taking the root modulo n are described 
in detail in [2] . 

To ensure the security of the encryption system, the recursion 
must be performed at least twice, since otherwise, if it is 
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performed exactly one time, the message parts nix and mz enter 
in linear fashion into the term ai= nii + in2. 

Another important aspect is the selection of the correct roots 
for the decryption. 

If the number n contains exactly two prime factors p and q, 
equation (3) has four solutions. With a few bits for each 
ai, i = 1, 2 , . . . , L, the sender is able to eliminate 
multivaluedness for the legitimate receiver. To resolve the 
multivaluedness, for example, error detection characters or 
parity characters may in each case be derived from a±. 

In the most favorable case, 2 bits per iteration step are 
needed to completely resolve the multivaluedness in each step. 
The 4 solutions of equation (3) are given by 

z. =-^ii^ + w. mod« (4) 

where 



^,.2.3.4 =4^1x1 ^-Kx^^^^ 



are the four square roots of the above expression modulo n. 
The four values are connected as follows: 

w- = -w. mod n and w.. = -w. mod n 
We select the parity (even, odd) of the four roots so that 

w, =even and =odd 

One particularly elegant solution making it possible to 
differentiate all four roots from one another is as follows 
for p=q=3 mod 4 : 
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In addition to parity, the so-called Jacobi symbol {wi/n) is 
used as a further discriminant criterion (for theory and 
efficient calculation, see, for example, [2]). For non-trivial 
values of wi, as are needed in the decryption, the Jacobi 
5 symbol supplies the value 1 or -1. The Jacobi symbol can be 
calculated with expenditure O(log^ n) . 

The parity and the Jacobi symbol are sufficient for precisely 
selecting one of the four roots w. . The parity and the 
Jacobi symbol are able to be coded using 2 bits. By appending 
10 these two bits in each of the L iteration steps, the 

legitimate receiver is given the ability to reverse the L 
iteration steps. 

The root leading to solution ai in equation (4) is designated 
by Wi, thus, ai = ai+i /2 + Wi mod n. The parity and the Jacobi 
15 symbol are each specified with respect to this root. With the 
establishment of the value of ai, the value for bi then follows 
immediately as bi = ai+i - a± mod n. In summary, one thus 
obtains 

ai = a±+i/2+ Wi mod n (5) 

2 0 b± = 3L±^x/2 - w± mod n. (6) 

In the encryption, at each step, from the number pair fai, h±) , 
the pair fai+i, h±^x) is calculated, as well as the parity and 
the Jacobi symbol of ivi = fai - ai+i/2) mod n. 

With knowledge of the factorization, these steps can each be 
2 5 reversed by solving 

^a,?,i /4- 6.^1 mod n , 

parity and Jacobi symbol of this root being represented. 
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Another important aspect is the parameter selection. At 
present, realistic orders of magnitude for each of the two 
prime numbers are from approximately 510 bits, i.e., n has a 
length of approximately 1020 bits. For L, a magnitude 
5 O(log log n) is recommended; for n of 1000 bits, a value of 
approximately 3-10. 

The bit lengths to be selected in the future may be oriented 
to the parameters of the RSA method. 

An advantage of the method presented here is that the quantity 
10 of useful data is twice as great as in comparable methods. 

Using standard algorithms, an encryption complexity of 
0(L log^ n) is reached, if one calculates the expenditure for a 
multiplication using O(log^n) , When using current algorithms, 
one must reckon with an expenditure of 0(L log^ n) for the 
15 decryption complexity. If an order of magnitude of 

O(log log n) is selected for I#, a time advantage (in addition 
to the greater useful -data rate) results for the encryption 
compared to the RSA method. 

As in the case of the Rabin method and Williams method, care 
2 0 must be taken in the implementation that, in each case, only 
the correct roots of equation (3) exit the decoder during the 
decryption, since otherwise the number n can be factored. 

In another refinement, as in the RSA method, module [sic] n 
may also contain more than two large prime factors. Naturally, 
25 the number of solutions for equation (3) also increases 
accordingly. 

A further generalization is achieved by introducing additional 
constants in the recursion: 

ai+i = Jci • ai + Jc2 • Jbi mod n 
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Jbi+1 = ks ' ai ' bi mod n, 

which are made known as part of the public key. The decoding 
is performed in correspondingly modified form. 

In another specific embodiment, the magnitude of the tuple is 
5 altered. Instead of working with double tuples m = (mi, , it 
is also possible to work with q tuples. In the following, the 
expansion based on triple tuples is illustrated. The message 
is now made up of the triple tuple 

m= (inx,m2/m3) . 

10 The formula for the Lth iteration step is still 

f^^^(m) = f(fUm)), 

the basic iteration (m) ^ (fi (m) , fz (m) , fs (m) ) , however, being 
formed as follows: 

f I (m) =mi-¥m2+iti3 mod n 

15 £2 (m) =mi -in2+nii -1113+1112 -ms mod n 

f3(m)=^mi'in2'in3 mod n . 

The inverse calculation is accomplished by solving a third- 
degree equation. The roots may again be discriminated by 
information (parity symbol, Jacobi symbol, etc.) derived 
20 accordingly from the interim results. The expansion to degrees 
greater than or equal to four may be accomplished in analogous 
manner. In the iteration, essentially the elementary- symmetric 
Newtonian terms must be considered, to which additional 
constants, as already described above, may be added. 

2 5 In the following, the method of the present invention is 

elucidated in light of an example. For reasons of clarity, the 
numbers in the following are selected to be very small. Let us 
say n = 854 9 = p • q, with the private prime numbers p = 83 
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and q = 103. Let us assume the number of iterations L = 3, and 
the message to be encrypted is given by m = fmj, 1112) - 
(12 3,456) . Even parity is coded by a zero, uneven parity by a 
one. Parity bit bp is used for this. If the Jacobi symbol is 
5 equal to one, a one is coded, if it is equal to minus one, a 
zero is coded. Jacobi bit hj is used for this. 

The following values are obtained 

rao, ho) = (123,456) 

rai, hi) = (579,4794) 

10 (^2. b2) = (5373,5850) 

ra3, b3) = (2674,5926) 

To each of the three pairs (ai, bi) , (^2, b2) and (aj, bs) , 
L • 2 bits of parity bits and Jacobi bits, given in the 
example by the following binary vector [bp^,bj^,bp^,bj^,bp^,bjj = 
15 (0,0,1,1,0,1), are also added. 

Initially, the receiver determines the four roots 

= 1629,4036,4513,6920. Based on bp = 0, the receiver 

2l. 2.3.4 / / f 7-3 

recognizes that the correct root is even. Thus, only 4 036 and 
6920 remain. Of these (4036/8549) - -1 and (6920/8549) = 1- 
20 bj^ = 0 implies that 4036 is the correct selection. An 
analogous procedure leads to the complete decryption. 

In certain application cases, e.g. when the unencrypted 
message m contains redundancy, it is possible to dispense with 
the CO- transmission of the bits for resolving the 
25 multivaluedness . For example, this is the case for normal 

texts or when a so-called hash value was already placed in m. 
However, this is done at a decryption expenditure increased by 
a factor of 4^. Corresponding compromises are likewise 
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possible; for example, the specification of only the parity in 
each of the L steps reduces the number of bits to be co- 
transmitted to L bits, and increases the decryption 
expenditure by the factor 2^- 

As in the asymmetrical methods known in the literature 
( [1] / [3] / [4] , [5] ) , a so-called digital signature method may be 
attained essentially by the interchange of encryption 
operations and decryption operations in the proposed method as 
well . 
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